module
N-able N-Central Authentication Bypass and XXE Scanner
| Disclosed | Created |
|---|---|
| Nov 17, 2025 | Dec 12, 2025 |
Disclosed
Nov 17, 2025
Created
Dec 12, 2025
Description
This module scans for vulnerable N-able N-Central instances affected by
CVE-2025-9316 (Unauthenticated Session Bypass) and CVE-2025-11700 (XXE).
The module attempts to exploit CVE-2025-9316 by sending a sessionHello SOAP
request to the ServerMMS endpoint with various appliance IDs to obtain an
unauthenticated session. If successful, it then tests for CVE-2025-11700
by writing an XXE payload file and triggering it via importServiceTemplateFromFile.
Files of interest that can be read via XXE:
- /opt/nable/var/ncsai/etc/ncbackup.conf
- /var/opt/n-central/tmp/ncbackup/ncbackup.bin (PostgreSQL dump)
- /opt/nable/etc/keystore.bcfks (encrypted keystore)
- /opt/nable/etc/masterPassword (keystore password)
Affected versions: N-Central
CVE-2025-9316 (Unauthenticated Session Bypass) and CVE-2025-11700 (XXE).
The module attempts to exploit CVE-2025-9316 by sending a sessionHello SOAP
request to the ServerMMS endpoint with various appliance IDs to obtain an
unauthenticated session. If successful, it then tests for CVE-2025-11700
by writing an XXE payload file and triggering it via importServiceTemplateFromFile.
Files of interest that can be read via XXE:
- /opt/nable/var/ncsai/etc/ncbackup.conf
- /var/opt/n-central/tmp/ncbackup/ncbackup.bin (PostgreSQL dump)
- /opt/nable/etc/keystore.bcfks (encrypted keystore)
- /opt/nable/etc/masterPassword (keystore password)
Affected versions: N-Central
Authors
Zach Hanley (Horizon3.ai)
Valentin Lobstein [email protected]
Valentin Lobstein [email protected]
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.